Status: This document is a Kantara Initiative Technical Specification Recommendation produced by the Consent & Information Sharing Work Group, and has been approved by the Group. The Public Comment and Intellectual Property Rights Review has been completed. It has been approved by the Membership of the Kantara Initiative. See the Kantara Initiative Operating Procedures for more information.

Abstract: A Consent Receipt is record of authority granted by a Personally Identifiable Information (PII) Principal to a PII Controller for processing of the Principal's PII. The record of consent is human-readable and can be represented as standard JSON. This specification defines the requirements for the creation of a consent record and the provision of a human-readable receipt. The standard includes requirements for links to existing privacy notices & policies as well as a description of what information has been or will be collected, the purposes for that collection as well as relevant information about how that information will be used or disclosed. This specification is based on current privacy and data protection principles as set out in various data protection laws, regulations and international standards.

The main purposes of the Kantara Initiative Privacy Control Panel (Kantara PCP) system are a) to allow people to see, organize, find details via a ‘data processing receipt’ construct about the conditions under which they agreed to provide information for data processing; and b) to give them tools to investigate the data processing receipts they might have received or modify the permissions they granted when they initially shared the data for processing.

In the Kantara vision, whenever an individual is asked for their personal data, or whenever their personal data is acquired, a ‘data processing receipt’ is created by the data controller. The receipt includes details about the conditions under which the data was obtained: the privacy notices provided; the lawful basis and purposes for collecting and processing data; the terms of the agreement and other metadata related to the interaction.

These data processing receipts could be offered by the data controller’s system to the individual for storage in their personal Privacy Control Panel application.

Once the data processing receipts are in the personal PCP, the person can organize them and inspect them to ensure they are valid, current and actually represent what happened.

The PCP gives the person tools to take action with the receipts including view, validity check, request the data, revoke consent, change permissions, or erase the data. In other words to exercise their data subject rights.

On the consent management platform and data controller system side, standard data processing receipt APIs could be offered. The PCP utilizes these APIs.

Five Kantara Members who are active Consent & Information Sharing Work Group contributors invested developer time to create external Kantara-spec Consent Receipts. These receipts were stored at a user-specified location, then viewed using a viewer created by OpenConsent. From start to finish, it took about 7 weeks to design, build, test and deliver.

The demo was a hit - lots of conference delegates engaged with the presenters and we are hoping to see that interest result in more WG participants and more demo apps - and hopefully some of these in shipping products!

After the first two conference presentations, we now have two more solutions to fit into the demo.

This working group has been evolving since 2009, starting out as the Information Sharing WG focused on catalysing a rich flow of consent based personal information - from a CRM perspective - actual demand data (as opposed to predicted demand) can be engineered with better personal data control then could be found in any traditional CRM products and departments. The first work stream was led by Joe Andrieu and Iain Henderson, which produced the Information Sharing Label Notice for people.

The result of this effort was the proposal to Kantara, ISWG to focus on a consent work stream, which resulted in this WG name change to the Consent & Information Sharing WG (CISWG). This work stream has focused on making an identity management usable consent record called the "Consent Receipt", driven largely by major contributions from Mary Hodder, John Wunderlich, Iain Henderson and Mark Lizar who brought the spec to a v.1, with a special thanks to David Turner and extra special effort of Andrew Hughes to bring together the release of V1.1 to be published on May 25, 2018 . This specification is now growing adoption in the EU and US healthcare, consent management, policy frameworks, smart contracts.

Special mention to UMAWG and Eve Maler for providing the shining example for how to develop a specification by consensus and Justin Richer for building the first consent receipt generator

This Workgroup is open for interested participants, the work product that is produced is under a Royalty Free (openly usable) RAND license. The work produced is provided for review by industry, public sector, regulators, other standards organisations like the ISO of ISO/IEC JTC 1/SC 27/WG 5, and community partners; like Project VRM, who have supported the long term development of tools for individual autonomy over personal information.

Project VRM community also drive a work stream in CISWG with Customer Commons called User Submitted Terms, which is focused on a common set of icons that customers can use to signal their intent.

The WG members often meet at conferences and workshops in the US and EU, which happen annually for those who want to meet in person.

Kantara presented a demonstration of Interoperable Consent Receipts at the MyData 2018 conference, Helsinki, August 28, 2018 https://mydata2018.org/presentations/ in the Consent In Action Session https://mydata2018.org/sessions/consent-in-action/ there are excellent presentation videos - it's a very interesting conference.
Five Kantara Members who are active Consent & Information Sharing Work Group contributors invested developer time to create external Kantara-spec Consent Receipts.…

The workshop on Real Consent was a great success. Even with such short notice, the room was full and we had a great set of speakers attend.
The Workshop started with an introduction from Michele Nati @digicatapult about the Personal Data & Trust Network. .
The Speaker Arrangements:
First up was Mark Lizar form the Open Consent Group. Discussing Real and Open Consent
Second was Richard Beaumont from Govenor technologies,…